Welcome to the Application Security Community of Practice. Our mission is to openly share resources and expertise in the domain of application security in order to enhance the overall knowledge and capabilities of the community.

One of the key messages that IBM talks to our customers about as it relates to security is the concept of "Secure by Design".
This means that we want to help our customers build security in from
the beginning. There's been a lot of discussion in the security
community about some comments made at a recent security summit about developers and that they don't know <bleep> about security. I agree with this post by
John Wilander that the appsec community needs to do a better job
teaming with developers instead of just telling them that they don't
know what they're doing. John Wilander says in that in his interviews
of 200+ developers this is what they care
about:

"Software Priorities According to Developers

Functions and features as specified or envisioned

Performance

Usability

Uptime

Maintainability

Security"

As
security
practitioners we need to ensure
that we can talk to developers in terms that make us partners and not
adversaries. We need to facilitate education and training that makes
security not an afterthought or a burden but something that just
becomes part of what they do day to day....kind of like how they follow
Java Coding Standards. This situation reminds me a lot about what I saw
when I first started working with Rational 14 years ago and we worked
with customers implementing our Java IDE (Rational Application
Developer/Rational Software Architect/ or even just base Eclipse). I
worked with a lot of new Java programmers and we would talk to them
about the important of using standard Java coding standards like file
organization, comments, naming conventions, etc. Did they like having
us impose these standards? Not really...they just wanted to write
code. But their management saw the importance for such reasons as
ensuring readability and improving the ease of maintenance and over
time code reviews and the adherence to these standards just became part
of the process. Also over time developers realized the importance of these standards. Readability and maintenance (two benefits of coding standards) are great but is nothing
compared with the negative impact that management should be worried
about with security flaws - financial, loss of reputation, loss of
intellectual capital. So why isn't development management more open
to the importance of security. well IMHO

who
can blame the development teams for being resistant when many appsec
folks show up with a list of everything that's wrong with their code
when they've been working long hours and weekends to meet tight
deadlines imposed on them by the business

If you're a developer do you agree with the above list? Have you had "run-ins" with the appsec folks?

If
you're an appsec person what do you think can be done to improve the
relationship and help move security up that priority list?